Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2098
Views
0
Helpful
3
Replies

ASA 8.3 - WebVPN and Failover (Act/Stby)

Go to solution
sez sharp
Level 1
Level 1

‎01-27-2011 12:50 PM

In older version of code WebVPN was not a supported feature on the ASA, however in 8.x and specifically 8.3 the rel notes no longer list it as an unsupported feature - does that mean WebVPN is fully supported by failover (Act/Stby) in 8.3 ?

I can see on my 8.3 Act/Stby failover pair the "CLI" based WebVPN config getting replicated as you'd expect but I can not see the file based XML config (used in 8.x train) for things such as portal customisation or bookmarks on the standby ASA.

I'm trying to view the WebVPN file based XML config using ASDM connected to the standby ASA and it eventualy times out when trying to browse portal customisation or bookmarks.

Does the WebVPN file based XML config get replicated in a failover pair?

or if not how do I get that content to the box?

thanks,

Sez

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-27-2011 07:27 PM

As per the following document, it states that:

"In  Version 8.0 and later, some configuration elements for WebVPN (such as  bookmarks and customization) use the VPN failover subsystem, which is  part of Stateful Failover. You must use Stateful Failover to synchronize  these elements between the members of the failover pair. Stateless  (regular) failover is not recommended for WebVPN."

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1078936

If you have enabled stateful failover, and the bookmarks and portal customization for webvpn is still not replicated to the standby, I would suggest that you open a TAC case to further investigate the issue.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-27-2011 07:27 PM

As per the following document, it states that:

"In  Version 8.0 and later, some configuration elements for WebVPN (such as  bookmarks and customization) use the VPN failover subsystem, which is  part of Stateful Failover. You must use Stateful Failover to synchronize  these elements between the members of the failover pair. Stateless  (regular) failover is not recommended for WebVPN."

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1078936

If you have enabled stateful failover, and the bookmarks and portal customization for webvpn is still not replicated to the standby, I would suggest that you open a TAC case to further investigate the issue.

0 Helpful

Go to solution
sez sharp
Level 1
Level 1
In response to Jennifer Halim

‎02-07-2011 11:28 AM

Hi Jennifer,

You are right the listed customisations do get transferred across state interface ina  failover pair.

I think my issue was one to do with ASDM accessing the content on a secondary, after a failover and it is active and the primary is off-line.

The failed over WebVPN functionality works including the customisations but ASDM wouldn't let me get to the customisation xml content on the secondary to view it

rgds

0 Helpful

Go to solution
Robert Gartley
Level 1
Level 1

‎01-28-2011 12:18 PM

I'm building out the same thing here. Here's what I've noticed...

Yes... your .xml client profile DOES get replicated but that's it. Along with the webvpn content, another thing that doesn't get replicated is your client packages. Why is this a big deal? When it fails over and there's no package available, Webvpn stops working!!! I had to have that package on there. In order to get that package on there, I had to failover to the secondary, upload it, re-add the package definition (svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1), and then failback.

0 Helpful
Customers Also Viewed These Support Documents